diff --git a/tests/integration/api/Auth/AuthenticateWithApiKeyTest.php b/tests/integration/api/Auth/AuthenticateWithApiKeyTest.php deleted file mode 100644 index e1943e040..000000000 --- a/tests/integration/api/Auth/AuthenticateWithApiKeyTest.php +++ /dev/null @@ -1,166 +0,0 @@ -prepareDatabase([ - 'users' => [ - $this->adminUser(), - $this->normalUser(), - ], - ]); - } - - protected function key(int $user_id = null): ApiKey - { - return ApiKey::unguarded(function () use ($user_id) { - return ApiKey::query()->firstOrCreate([ - 'key' => Str::random(), - 'user_id' => $user_id, - 'created_at' => Carbon::now() - ]); - }); - } - - /** - * @test - */ - public function cannot_authorize_without_key() - { - /** @var Client $api */ - $api = $this->app()->getContainer()->make(Client::class); - - $response = $api->send(CreateGroupController::class, new Guest); - - $this->assertEquals(401, $response->getStatusCode()); - } - - /** - * @test - */ - public function master_token_can_authenticate_as_anyone() - { - $key = $this->key(); - - $request = ServerRequestFactory::fromGlobals() - ->withAddedHeader('Authorization', "Token {$key->key}; userId=1"); - - $pipe = $this->injectAuthorizationPipeline(); - - $response = $pipe->handle($request); - - $this->assertEquals(200, $response->getStatusCode()); - $this->assertEquals(1, $response->getHeader('X-Authenticated-As')[0]); - - $key = $key->refresh(); - - $this->assertNotNull($key->last_activity_at); - - $key->delete(); - } - - /** - * @test - */ - public function personal_api_token_cannot_authenticate_as_anyone() - { - $user = User::find(2); - - $key = $this->key($user->id); - - $request = ServerRequestFactory::fromGlobals() - ->withAddedHeader('Authorization', "Token {$key->key}; userId=1"); - - $pipe = $this->injectAuthorizationPipeline(); - - $response = $pipe->handle($request); - - $this->assertEquals(200, $response->getStatusCode()); - $this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]); - - $key = $key->refresh(); - - $this->assertNotNull($key->last_activity_at); - - $key->delete(); - } - - /** - * @test - */ - public function personal_api_token_authenticates_user() - { - $user = User::find(2); - - $key = $this->key($user->id); - - $request = ServerRequestFactory::fromGlobals() - ->withAddedHeader('Authorization', "Token {$key->key}"); - - $pipe = $this->injectAuthorizationPipeline(); - - $response = $pipe->handle($request); - - $this->assertEquals(200, $response->getStatusCode()); - $this->assertEquals($user->id, $response->getHeader('X-Authenticated-As')[0]); - - $key = $key->refresh(); - - $this->assertNotNull($key->last_activity_at); - - $key->delete(); - } - - protected function injectAuthorizationPipeline(): MiddlewarePipe - { - app()->resolving('flarum.api.middleware', function ($pipeline) { - $pipeline->pipe(new class implements MiddlewareInterface { - public function process( - ServerRequestInterface $request, - RequestHandlerInterface $handler - ): ResponseInterface { - if ($actor = $request->getAttribute('actor')) { - return new Response\EmptyResponse(200, [ - 'X-Authenticated-As' => $actor->id - ]); - } - } - }); - }); - - $pipe = app('flarum.api.middleware'); - - return $pipe; - } -} diff --git a/tests/integration/api/authentication/WithApiKeyTest.php b/tests/integration/api/authentication/WithApiKeyTest.php new file mode 100644 index 000000000..2d716560d --- /dev/null +++ b/tests/integration/api/authentication/WithApiKeyTest.php @@ -0,0 +1,121 @@ +prepareDatabase([ + 'users' => [ + $this->adminUser(), + $this->normalUser(), + ], + 'api_keys' => [], + ]); + } + + protected function key(int $user_id = null): ApiKey + { + return ApiKey::unguarded(function () use ($user_id) { + return ApiKey::query()->firstOrCreate([ + 'key' => Str::random(), + 'user_id' => $user_id, + 'created_at' => Carbon::now() + ]); + }); + } + + /** + * @test + */ + public function cannot_authorize_without_key() + { + $response = $this->send( + $this->request('GET', '/api') + ); + + $data = json_decode($response->getBody(), true); + $this->assertFalse($data['data']['attributes']['canViewUserList']); + } + + /** + * @test + */ + public function master_token_can_authenticate_as_anyone() + { + $key = $this->key(); + + $response = $this->send( + $this->request('GET', '/api') + ->withAddedHeader('Authorization', "Token {$key->key}; userId=1") + ); + + $data = json_decode($response->getBody(), true); + $this->assertTrue($data['data']['attributes']['canViewUserList']); + $this->assertArrayHasKey('adminUrl', $data['data']['attributes']); + + $key->refresh(); + + $this->assertNotNull($key->last_activity_at); + } + + /** + * @test + */ + public function personal_api_token_cannot_authenticate_as_anyone() + { + $key = $this->key(2); + + $response = $this->send( + $this->request('GET', '/api') + ->withAddedHeader('Authorization', "Token {$key->key}; userId=1") + ); + + $data = json_decode($response->getBody(), true); + $this->assertTrue($data['data']['attributes']['canViewUserList']); + $this->assertArrayNotHasKey('adminUrl', $data['data']['attributes']); + + $key->refresh(); + + $this->assertNotNull($key->last_activity_at); + } + + /** + * @test + */ + public function personal_api_token_authenticates_user() + { + $key = $this->key(2); + + $response = $this->send( + $this->request('GET', '/api') + ->withAddedHeader('Authorization', "Token {$key->key}") + ); + + $data = json_decode($response->getBody(), true); + $this->assertTrue($data['data']['attributes']['canViewUserList']); + $this->assertArrayNotHasKey('adminUrl', $data['data']['attributes']); + + $key->refresh(); + + $this->assertNotNull($key->last_activity_at); + } +}